Google wants to unclog Net's DNS plumbing

Google wants to speed up a key part of the Internet's inner workings called the Domain Name System and is inviting technically savvy folks to try their ideas out.

The DNS is a crucial part of the Internet. It converts the text addresses people can remember into the numeric Internet Protocol addresses actually used to locate information on the Internet. For example, CNET.com's IP address is 216.239.122.102.

When you visit a Web page, a DNS server that's part of a vast distributed network often must perform that conversion--called resolving a host--many times. With the Google Public DNS service, Google wants to be that server.

"Our research has shown that speed matters to Internet users, so over the past several months our engineers have been working to make improvements to our public DNS resolver to make users' Web-surfing experiences faster, safer, and more reliable," said product manager Prem Ramaswami in a blog post introducing the Google Public DNS service.

Google's search service already has made it central to the workings of the Internet. If its DNS service becomes popular, Google could become even more significant.

How does it work?

The primary job of DNS is to track down the address of the server you need to reach to retrieve information on the Net. Overall, the DNS relies on a central address book stored at 13 "root" servers that tie human-readable domains to their numeric IP addresses.

But it would be impractical for a few central servers to handle the entire load of billions of computers constantly querying the database. For that reason, the DNS data is distributed across a hierarchy of many cooperating servers that collectively "resolve" those address queries.

Internet service providers typically have their own DNS servers. They periodically synchronize with the root servers so that, for example, you can get to a newly launched Web site. Often, though, DNS servers must connect with other DNS servers to find addresses they don't have stored.

Key to this process is what's called caching, which in the computing industry means storing data needed quickly where it can be retrieved quickly. After a DNS server takes the trouble to figure out a server's IP address, it keeps that data "warm" in a memory cache for awhile to enable a faster response the next time it needs to supply that information.

Caching is the first area where Google Public DNS comes in. Instead of making people wait for the DNS resolution, Google's system preemptively fetches the data in advance based on Google's knowledge of what servers people are using. And where an ordinary DNS server would forget that information after a time, Google's DNS system keeps it in the forefront of its thoughts, so to speak.

"We essentially prefetch the DNS query before the user asks for it," said Ramaswami in an interview. "Because of our scale and the distributed nature of our data centers, we're able to do that with many domain names. We're keeping a lot in the cache, and keeping it warm constantly."

Notable here is that Google has a lot of information about just what sites people want to visit. Google Public DNS doesn't predict an individual's DNS needs, but it does learn from the collective behavior of Net users--not just the use of the DNS system, but of other Google systems, Ramaswami said.

"We're doing it more for the aggregated set of users. For example, we know popular sites based on search. We have an index of domain names from crawling the Web. Also we have usage on what DNS queries people perform from Google Public DNS itself," he said. "We can take this and feed it back into the feedback loop to know what to keep warm."

Security is another part of Google's system. DNS in general can be susceptible to cache "poisoning" attacks that redirect a person to a malicious version of a Web site rather than the real thing. One way to poison a cache is to issue a request to a DNS server that will require it to resolve a Net address by consulting other DNS servers. When it issues that request for help, the attacker supplies it with forged answers.

Google Public DNS attempts to mitigate this risk by adding "junk" information to the messages sent to other DNS servers. If the junk isn't present in the answer, too, that's a sign there's been meddling and it should be discarded, he said. Likewise, Google's system employs a combination of uppercase and lowercase letters in its communications that also have to match in the replies.

Should you sign up?

The move is the newest one by Google to pose a dilemma for technophiles. On the one hand, Google often offers services with appealing features. On the other, signing up for them gives Google that much more dominance on the Net. It's scary enough to be reliant on a single company for essential services such as search and e-mail. Do you want the company to become inextricable in the delivery of data across the Internet, too?
Paul Ford

Of course, Google Public DNS, like search and Gmail, is optional. It's not as if Google is strong-arming anyone to move over. On the contrary, it's telling any Internet service providers considering reliance on the system to have backup, because there's no assured level of service reliability.

But what happens in a few years if, for example, Google's DNS service becomes popular and reliable enough that more than a few server admins and command-line aficionados sign up--maybe even a paid service like Google Apps or Postini? Then perhaps Google builds itself into the Net, and something convenient becomes something we depend on. I don't know any other companies that use "don't be evil" as a motto to keep themselves straight, but even if Google doesn't abuse its position, it's smart to think twice about reliance on Google for basic Internet plumbing.

Fooling with DNS settings isn't likely to be something most folks do, the way they choose a search engine or e-mail provider. For Google Public DNS to become some sort of dominant service, it likely would be through adoption at companies or Internet service providers who run their own DNS servers. They could use Google's DNS system to supply answers for their own servers' queries.

Then there's the privacy angle. If Google resolves your DNS queries for you, that means its servers know every Web page you visit, and for that matter, which servers send you ads, photos, text, video, and other information on the Net.

Google has enough history to know that's a prickly issue. "This was a huge concern on our end internally," Ramaswami said. For that reason, Google limits the data collected from users, and wipes it out or waters it down periodically. And while Google uses search data for its DNS service, it won't use data from its DNS service elsewhere in the company.

"We built this definitely to make the Web faster. It was not to collect data on the end user," Ramaswami said. IP address data of those who use the service--recorded to detect attacks and malicious behavior--is kept between 24 and 48 hours, he said. Data that identifies which Internet service provider a person uses or where the person's computer is located is stored for two weeks, with a small sample of that kept permanently, but it can't be used in combination with other Google services.

"We will never correlate this data with search logs, toolbar logs, or any other Google product," Ramaswami said.

Is it a control point?

Google genuinely wants to make the Web a richer, more dynamic place where people spend more time, and speed is a part of that. When Web sites respond quickly, people use them more, and when people use the Web more, they search on Google more and see Google search ads more.

Google Public DNS, of course, fits into the faster-Web story. Unlike many other Google projects to improve the Web--the Android operating system for mobile activities, Chrome browser, and Chrome OS operating system, for example--Google didn't release make its DNS software open-source.

So does that mean it fits more in the proprietary part of Google operations, like Gmail or the search algorithm?

"By sharing, we hope that ISPs and other open [DNS] resolvers will implement it themselves," Ramaswami said. "We've shared the pseudo code--the design documents," he said. It's not releasing the source code itself because it's "tied very deeply into the Google infrastructure."

How well does it work?

I tried the system on two laptops, one with Mac OS X 10.6 Snow Leopard and one with Windows 7. I found no particular troubles (except the lack of instructions for Windows 7--it's the same as for Vista except that you should click "Change adapter settings" rather than "Manage network connections").

It's hard to say whether my browsing got any faster. I have a fast connection to begin with. I didn't notice any slowdown, either, or notice any other problems.

As promised in its Google Public DNS FAQ, Google sidestepped the opportunity to show ads or otherwise capitalize on error pages that show when I tried to reach a nonexistent Internet address. (At least with its DNS service. When using Google's Chrome browser, a bad Web address produces an error page with a Google search box.)

"Google Public DNS complies with the DNS standards and gives the user the exact response his or her computer expects without performing any blocking, filtering, or redirection that may hamper a user's browsing experience," Google says of its service.

Showing ads on error pages is part of the business model of one company, OpenDNS, that makes a living out of the Domain Name System. In a blog post, founder David Ulevitch took Google to task on the matter.

"Google claims that this service is better because it has no ads or redirection," Ulevitch said, but DNS isn't the only Google service. "You have to remember they are also the largest advertising and redirection company on the Internet."